Using include "$_GET[page]"; - is there a way to make it safe?

listenmirndt

Is there a way to make it safe, to use <?php include "$_GET[page]"; ?>

I have been using:

<?php
$string = $_SERVER['QUERY_STRING'];

if(stristr($string, 'http') === FALSE && stristr($string, '/') === FALSE) {}
else
        die();

$string = "$_SERVER[QUERY_STRING]";

if (
        stristr($string, '<') === FALSE &&
        stristr($string, '>') === FALSE &&
        stristr($string, '%3C') === FALSE &&
        stristr($string, '%3E') === FALSE &&
        stristr($string, '"') === FALSE &&
        stristr($string, '%22') === FALSE) {}
else
        die();

$string = $_GET['page'];
if ($string[0] == '/')
        die();

$string = $_GET['back'];
if ($string[0] == '/')
        die();

$protect = 1;
?>

but i am not entirely sure if that is safe... is there a better way to include files that are in a URL string... security-wise?

laserlight

Eh, instead of:

if (condition) {}
else
    die();

It would be clearer to write:

if (!condition)
    die();

Unless of course you actually are going to do something within if statement's block if the condition is true.

Now, instead of various ad-hoc checking for invalid input that you are doing now, it may be simpler to just use [man]basename/man then check that the result is valid using regex (or a list of filenames, if such exists).